Bug 57872 - Do not auto-switch session cookie to version=1 due to '/' in Path when running in "strict compliance" mode (Internet Explorer and rfc6265)
Summary: Do not auto-switch session cookie to version=1 due to '/' in Path when runnin...
Status: NEW
Alias: None
Product: Tomcat 7
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 7.0.61
Hardware: PC All
: P2 enhancement (vote)
Target Milestone: ---
Assignee: Tomcat Developers Mailing List
Depends on:
Reported: 2015-04-29 07:49 UTC by Konstantin Kolinko
Modified: 2015-04-29 08:16 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description Konstantin Kolinko 2015-04-29 07:49:07 UTC
Encountered this when migrating a legacy web application from old Tomcat 6 to current Tomcat 7(.0.61). Reproducible with current Tomcat 8 as well.
Essential is that both Tomcat 6 and Tomcat 7 were configured with


User-visible symptoms:

The count of active sessions (as shown in Manager application) increases rapidly. This does not occur when the same application is deployed on Tomcat 6.


1) Configured AccessLogValve to log incoming "cookie" headers and outgoing "set-cookie" headers and the current session.Id by adding the following text to its pattern:

SessionId:%S [Cookie received: %{cookie}i] [Set-Cookie sent: %{set-cookie}o]

2) Disabled HttpOnly -- to bring Tomcat 7 configuration more closely to Tomcat 6 one. This is done by setting <Context useHttpOnly="false"> in context file of the web application.


In year 2009 a new feature was implemented in Tomcat 7 that a cookie is automatically switched from "version 0" cookie (Netscape cookie) to "version 1" cookie (RFC2109 cookie) when value/path/domain properties of the cookie contain a character that need to be quoted.

When "STRICT_SERVLET_COMPLIANCE" is true, one of characters that triggers "version 1" is '/'. As every session cookie contains a Path that starts with '/' this causes all session cookies to become "version 1" ones.

The problem is when client is Internet Explorer.

If I look into access log, the set-cookie header sent by an old Tomcat 6 looks like the following:

JSESSIONID=E8776ACC0C787BBAD5C7EEC4770877E1; Path=/foo

The set-cookie header sent by Tomcat 7 looks like the following:

JSESSIONID=A7A0CBBF5813DF4DEADFFFD3475E09AD; Version=1; Path="/foo/"

The problem is quoted value of Path. It is not understood by Internet Explorer and subsequent HTTP and Ajax requests do not include a "cookie" header. This is observed both with IE 8 and with current IE 11.

For a reference, an old report

Known solution:

Tomcat 7 and 8: Set the following system property:

Tomcat 8 (better solution): configure a <CookieProcessor> to be "org.apache.tomcat.util.http.Rfc6265CookieProcessor" instead of default LegacyCookieProcessor.


1) '/' alone should not trigger conversion from version 0 cookie to version 1 cookie. Netscape specification (as linked from rfc6265) uses unquoted '/' in Path in its examples, so it is explicitly OK to use '/' in the Path.

Generally, there may be other safe characters, as RFC6265 allows <any CHAR except CTLs or ";"> in path-value, but '/' is such a blatant example. Every path starts with a '/'.

2) Processing of a cookie that has "version=1" (set explicitly, or converted due to other reasons) is unchanged. The path will be quoted here. RFC2109 quotes Path in its examples.

The FWD_SLASH_IS_SEPARATOR flag is left to control quoting in version 1 cookies. (This is why I do not propose changing the default value of FWD_SLASH_IS_SEPARATOR).
Comment 1 Konstantin Kolinko 2015-04-29 08:16:33 UTC
> For a reference, an old report

I meant to link to bug 45272 there. Just for information.